DNSSEC: Complex, But Important for Internet Security

Sean Leach | Jan 27, 2012

If I could describe DNSSEC in one word, it would be "important." Another word that often describes it though is "complex."

What is DNSSEC and why is it so important and complex?  Well, DNS, as you may know, is a little known (but absolutely critical) technology. It enables connections on the Internet by translating the better known domains we all use to the IP addresses that get us to the pages we want. Without DNS, the Internet doesn't work. Cryptography has a similar lack of visibility, but is also absolutely critical. When you mash the two of them together, you get Domain Name Security Extensions, commonly called DNSSEC.

DNSSEC provides a manner of guaranteeing that an answer from the global DNS is the correct answer - which as you can imagine is pretty important (i.e. if I type in the domain for my bank's website, I sure hope the IP address my browser goes to is of the intended bank, not some nefarious middle man trying to steal my data. This is what DNSSEC helps solve). I say DNSSEC is complex because there are terms associated with it like "zone signing," "key rollover," "algorithm strength," "data enumeration," etc.  That's a LOT of terms to know just to be able to have a secure domain.

Because of this complexity, DNSSEC adoption has been slow. But thanks to a big announcement from Comcast earlier this month - that it is the first ISP in North America to provide resolution services for DNSSEC queries - security experts are once again urging IT departments to invest in DNSSEC now. Our own resident DNS expert Matt Larson was quoted in a recent NetworkWorld article discussing the importance of DNSSEC implementation.

The reality today is that there are only about 5,500 signed .com names and 2,000 signed .net names out of a total pool of about 113 million registered .com and .net names. That means only about .006% of all .com and .net names have adopted DNSSEC as of January 2012. This figure needs to improve in order to improve the overall security of the Internet. To help with this Verisign has significantly eased the complexity of DNSSEC implementation in a few ways to help drive adoption.

Once we signed the DNS root and the .COM and .NET top level domain servers, we knew the next piece of the global DNSSEC puzzle was to enable domain owners to take advantage of DNSSEC (DNSSEC only works if all of the parties in the DNS transaction are using it, from the recursive server, to the root, to the top level domain servers, to the DNS hosting company). So, in our Managed DNS product, last year, we enabled one-click DNSSEC: an easy way for customers to enable DNSSEC in their zone. Want DNSSEC for a domain? Customers simply click the "Enable DNSSEC" button. No worries about key rollover or any of the other voodoo terms that make your head spin. Verisign also offers free DNSSEC signing services to its registrars and established the DNSSEC Interoperability Lab to allow vendors and other members of the IT community to test compatibility of their Internet and enterprise infrastructure components with DNSSEC. Lastly, Internet users can use the Verisign DNSSEC Analyzer tool to simply enter in the domain names of the sites they frequent to learn whether or not the sites are DNSSEC compliant. You may be surprised by what you learn using this tool. 

There are a host of support services for DNSSEC, but the first step is helping everyone realize the importance of implementing it. The announcement from Comcast is a big step in that direction and I look forward to seeing which big name company will be the next to announce it is DNSSEC enabled. Any guesses? Is your company DNSSEC enabled or working on it?